All Fresh CortexUtils, New Cortex Analyzers

Ahead of the imminent release of Mellifera 12 (TheHive 2.12.0), a new, major (as in MAJOR) version of your (soon to be?) favorite Security Incident Response Platform, we’ve made rather significant changes to Cortex analyzers and released a new version of the CortexUtils Python library.

TL;DR

If you are in a hurry:

$ sudo pip install cortexutils --upgrade
$ cd where/your/analyzers/are
$ git pull master

Adjust the Cortex configuration for the new MISP 2.0 analyzer and for Hippocampe as shown below if you are using these analyzers then import the corresponding report templates into TheHive:

  • download the updated package
  • log in TheHive using an administrator account
  • go to Admin > Report templates menu
  • click on Import templates button and select the downloaded package

CortexUtils 1.2.0

CortexUtils has been updated to include a new function called build_taxonomy() which is required for analyzers relying on the Python library we released to make their development development easier.

Mini-Reports in The Observable Tabs

Starting from Mellifera 12 (TheHive 2.12.0), mini-reports will be displayed in the observable tab in each case as soon as an analysis has been completed. Now analyzers compute their short/mini reports and put them in the summary section of their JSON output, ready for consumption. TheHive 2.12.0 and up will no longer create them on-the-fly.

Taxonomy

The mini-reports of all the analyzers have been updated to comply with a taxonomy that is similar to the one we were already using for VirusTotal:  VT:Score="14/56”.  A “maliciousness” level was already included in TheHive’s analyzer templates and we used a specific color to display each level. This level is now produced directly by the analyzers:

  • info / blue: the analyzer produced an information, and the short report is shown in blue color in TheHive.
  • safe / green : the analyzer did not find anything suspicious or the analyzed observable is safe (according to the analyzer). TheHive displays the short report in green color.
  • suspicious / orange : the analyzer found that the observable is either suspicious or warrants further investigation. The short report is orange colored in TheHive.
  • malicious / red : the analyzer found that the observable is malicious. The short report is displayed by TheHive in red color as show below:

sc-short-VT.png

The short report is built with the summary() function of an analyzer. The build_taxonomy() of cortexutils mentioned earlier should help building it.

MISP 2.0

The MISP analyzer has been updated to version 2.0 and includes new functionality submitted by our long-term contributor Nils Kuhnert from CERT-Bund (thanks a heap!). Unlike the previous version, v 2.0 will let you search for an observable in multiple MISP servers at the same time.

The analyzer accepts a truckload of datatypes as input. To make it work, install the pymisp Python library. It should already have been installed if you are just updating your current analyzers. You will also have to change Cortex configuration file (application.conf) for this new version:

MISP {
 url=["https://mymispserver_1", "https://mymispserver_2"]
 key=["mykey_1", "mykey_2" ]
 certpath=["", ""]
 name=["MISP_SERVER_NAME_1", "MISP_SERVER_NAME_2"]
}

Important note: You have to adjust your existing configuration to match the one shown above. The certpath variable can be left blank if you are not using a self-signed certificate.

When called from TheHive, the following output is produced:

sc-short-MISP.png

sc-MISP-long.png
TheHive: MISP 2.0 Analyzer – Short and Long Report Samples

The short report will show the number of unique events found in all MISP servers while the long report will show information of each matching event in each MISP server.

CERTatPassiveDNS

The CERTatPassiveDNS analyzer is a new submission by Nils (thanks again). It lets you check the CERT.at PassiveDNS service for a given domain or hostname. It takes domains and FQDN as input.

Access to the CERT.at service is allowed to trusted partners only. If you think you qualify, please contact CERT.at. You do not need to add specific information into the Cortex configuration file to benefit from this analyzer as it calls the whois system command to perform the pDNS requests.

When called from TheHive, the following output is produced:

sc-certatpdns-short.png

 

sc-long-CERTatPassiveDNS_1_0.png
TheHive: CERTatPassiveDNS Analyzer – Short and Long Report Samples

 

Miscellaneous

The latest version of the Cortex-analyzers repository also include the following bug fixes and improvements:

  • #61: fix typos in two requirements.txt files – by Michael Salsone
  • #65: update the Joe Sandbox analyzer’s long report to support version 19.0.0
  • #67: fixed mistake in the FireHol analyzer –  by Nils Kuhnert
  • #69: use http://server:port for Hippocampe instead of http://server:port/hippocampe/api/v1.0/

Running Into Trouble?

Shall you encounter any difficulty, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!

Correction: July 6, 2017 
An earlier version of this post mispelled Nils Kuhnert’s last name.

TheHive, Cortex and MISP: How They All Fit Together

TheHive, Cortex and MISP work nicely together and if you’ve read our June-Dec 17 roadmap post, the integration of our products with the de facto threat sharing platform will get better in a few months.

During the FIRST conference presentation we gave last week, we displayed a picture that we will use here to try to explain how these three open source and free products integrate with one another.

Screen Shot 2017-06-16 at 09.58.43.png
A Picture is Worth a Thousand Words…

TheHive

TheHive is a Security Incident Response Platform (SIRP). It can receive alerts from different sources (SIEM, IDS, email. etc.) via its REST API. This is where alert feeders come into play.

Alert Feeders

Think of an alert feeder as a specialized program which consumes a security event (SIEM alert, email report, IDS alert, and so on), parses it and outputs an alert that its sends to TheHive through TheHive4py, the Python library we provide to interact with TheHive’s REST API.

We do not supply such feeders but developing them should be straightforward. If not, let us know  and we’ll do our best to help you out.

Alerts

Any alert sent to TheHive will show up in its Alerts pane. In addition to the sources mentioned above, new or updated MISP events will show up as well in that area if you configured TheHive to connect to one or several MISP instances. If so, TheHive will poll those MISP instance(s) at every interval looking for new or updated events. If there are any, TheHive will generate an alert which will end up in the Alerts pane.

Screen Shot 2017-06-18 at 15.29.51.png
The Alerts Pane

Alerts can be ignored, mark as read, previewed and imported. When an alert is imported, it becomes a case that needs to be investigated.

Cases

workflow
The Workflow that is at the Heart of TheHive

A case can be generated from an alert or created from scratch. It is subdivided into tasks (think identification, containment, eradication, check proxy logs, and so on) and observables (IP addresses, hashes, email addresses, domain names, URLs…). When analysts are working on tasks, they add logs as they go. In TheHive’s terminology, logs are text entries which may contain attachments to help analysts record what they have been doing. Logs can be written using Markdown or a rich-text editor.

Case Templates

You don’t need to add the same tasks over and over when working on cases belonging to a given category (DDoS, Malspam, APT, …). You can create custom templates to which you add tasks as shown below. This is very useful when you are dealing with alerts so that when you import them, you can select which case template you’d like to apply and there you go!

Screen Shot 2017-06-16 at 10.26.22.png
A Sample Case Template
Observables

Observables can be tagged, flagged as IOCs, and analyzed. When the investigation is well in progress or completed, you may want to share the resulting IOCs or a subset of those with partners and peers. TheHive will support the ability to export that data to MISP in September 2017. Until then, you can still export your IOCs as text, CSV or as a MISP-compatible format that you can use to add them to your MISP instance using the freetext editor. TheHive can export IOCs/observables in protected (hxxps://www[.]somewhere[.]com/) or unprotected mode.

Every observable must have a TLP (Traffic Light Protocol) level. By default, any added observable is considered TLP:AMBER. Please note that the TLP is taken into account by some analyzers. Wait! Analyzers?

Cortex

Cortex is our standalone analysis engine and a perfect companion for TheHive and MISP. Analysts can use it to analyze observables using its Web UI, in which case they can be submitted only one at a time. The Web UI should really be limited to quick assessments of observables before creating a case in TheHive (or in an alternate SIRP). The power of Cortex really comes into play when you use its REST API. TheHive speaks natively to Cortex (as MISP does). Moreover, TheHive can leverage one or several Cortex servers.

Screen Shot 2017-06-18 at 15.57.27.png
Observable Page and List of Analyzers
Analyzers

As of this writing, Cortex has 23 analyzers which come in a total of 39 flavors and more will be available soon.

An analyzer can be written in any programming language supported by Linux though all of our current analyzers are written in Python. This is because we provide a Python library called Cortexutils which contains a set of utility classes that make it easier to write an analyzer in Python.

Flavors

Analyzers such as VirusTotal, PassiveTotal or DomainTools can provide different analysis services. Let’s take VirusTotal as an example. You can scan a file or URL. That’s one flavor. You can also obtain the latest available report on VirusTotal.com for a file, hash, domain or IP address. That’s a second flavor. So the VirusTotal analyzer has two flavors.

Screen Shot 2017-06-18 at 16.26.41.png

How about PassiveTotal? It has 8 flavors: unique resolutions lookup, SSL certificate history lookup, malware lookup, passive DNS lookup, data enrichment lookup, SSL certificate details lookup, OSINT lookup and WHOIS data lookup.

The MISP Search Analyzer

At this point, we need to mention a special analyzer that may create some confusion if not understood correctly: the MISP Search analyzer. Thanks to it, Cortex has the ability to search observables within a MISP instance as represented by the arrow that goes from the Analyzers to MISP.

Screen_Shot_2017-06-19_at_08_03_54.png
Search for MISP Events Containing a Given Observable

When an observable is found in an event, Cortex will return the number of records found (i.e. the number of events where the observable has been found) and a list of links to those events with additional data.

Screen_Shot_2017-06-19_at_08_13_16.png
Searching for a Hash Using the MISP Search Analyzer from the Cortex Web UI
Screen Shot 2017-06-19 at 08.17.04.png
The Same Search Conducted from TheHive: Long Report
Screen Shot 2017-06-19 at 08.18.58.png
Mini-Report

The current version of the MISP Search analyzer can only search within a single MISP instance but in the near future, it will be able to support multiple ones.

MISP Expansion Modules

Besides its own analyzers (which include MISP Search described above), Cortex can also invoke MISP expansion modules. These are normally used by MISP to enrich attributes within events but Cortex can also take advantage of them to analyze observables.

There is some overlap between the native Cortex analyzers and MISP expansion modules. When choosing between a native analyzer or an expansion module, we highly recommend you select the former. The expansion modules are deactivated in the default Cortex configuration.

Jobs

When you submit an observable for analysis, Cortex will create a job and, if successful, it will generate an analysis report in JSON format. TheHive has the ability to parse those results and present them in a human-friendly fashion thanks to report templates we offer for free. So when you’ll submit an observable to Cortex from TheHive, you’ll get back a short (or mini) report and a long one. The first can be thought of as a really tiny Exec Analyst Summary while the second provides more insight and details.

Calling Cortex from MISP

In addition to the expansion modules we have just mentioned, MISP 2.4.73 and up can enrich attributes using Cortex analyzers. The configuration is pretty straightforward. So if all you are concerned about is threat intelligence and sharing, you may augment your visibility into a given threat represented as a MISP event by leveraging all current 23 Cortex analyzers and any future ones.

Conclusion

TheHive, Cortex and MISP are three open source and free products that can highly aid you combat threats and keep the ‘monsters’ at bay.

TheHive, as a SIRP, allows you to investigate security incident swiftly in a collaborative manner. Several analysts can work simultaneously on tasks & cases . While cases can be created from scratch, TheHive can receive alerts from different sources thanks to alert feeders which consume security events generated by multiple sources and feed them into TheHive using TheHive4py Python library. TheHive can also sync to one or several MISP instances to receive new and updated events which will appear in the alert pane with all the other alerts generated by other sources. Analysts can then preview new alerts to decide whether they need to be acted upon. If so, they can transform them into investigation cases using templates.

To analyze the observables collected in the course of an investigation and/or imported from a MISP event, TheHive can rely on one or several Cortex analysis engines. Cortex is another standalone product that we have developed which sole purpose is to allow you to analyze observables at scale thanks to its large number of analyzers, MISP expansion modules and any analyzer you might have developed on the side. Cortex has a REST API that can be used to empower other security products such as  ‘analytics’ software, alternate SIRPs or MISP.

The highly popular threat sharing platform can indeed enrich attributes thanks to Cortex as it has a native integration with it. And in a few months, you will also be able to export cases from TheHive as MISP events that you can share with peers and partners.

If you do share, you do care about our collective mission to defend the  digital assets that are under our watch from harm. So let us fight together as one.

 

 

Mellifera 11.3 Released

A few days ago, we have been made aware of a bug in the way we pulled new or updated MISP events to inject them within Mellifera’s alerting panel. As a result, some events did not show up as intended. So you might have missed some of the action shared by peers and partners through MISP.

As true Frenchmen who care a lot about cuisine, TheHive Project’s Chefs went back to their code kitchen and figured out a more palatable recipe to make sure you won’t be left under the impression that you were seeing all new or updated MISP events while in fact you didn’t (we don’t want you to go too easy & lazy n’est-ce pas ?). Mellifera 11.3 (TheHive 2.11.3), a hotfix version has been released to that end and should fix the issue. Please note that you must use MISP 2.4.73 or better.

In addition, this new version of your favorite (or soon to be favorite) Security Incident Response Platform can be installed from a deb package on Ubuntu 16.04 without having to fiddle with OpenJDK. We have repackaged the software to avoid grabbing OpenJDK 9 (which TheHive does not support) and force the installation of version 8.

Finally, if an admin creates an empty case template, users can add tasks to it while previously this wasn’t possible.

Download & Get Down to Work

If you have an existing installation of TheHive, please follow the new migration guide.

If you are performing a fresh installation, read the installation guide corresponding to your needs and enjoy. Please note that you can install TheHive using an RPM or DEB package, deploy it using an Ansible script, use Docker, install it from a binary or build it from sources.

Support

Something does not work as expected? You have troubles installing or upgrading? No worries, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

 

TheHive: June-Dec 17 Roadmap

A new version of TheHive will be released by the end of June. We will take this opportunity to review our release naming and numbering from the ground up.

Months ago, we started giving ‘major’ versions (2.10, 2.11, …) the name of honey bee varieties. 2.10 was called Buckfast. 2.11, the current version, is called Mellifera. And we were supposed to give 2.12 yet another name. However, and after the few hiccups we’ve encountered with our QA as of late, we have decided to change things around in order to make sure new releases are as stable and well-maintained as you should expect them to be.

Starting from the next release (2.12), we will abide by the following numbering scheme:

  • Major versions == X (2, 3, …)
  • Minor versions = X.Y (2.12, 2.13, 3.1, …)
  • Hotfix/maintenance versions = X.Y.Z (2.12.1, 2.13.2, 3.1.1, …)

Only major versions will have corresponding honey bee names. So long as we stay with v2, we’ll keep calling all the minor versions Mellifera N (2.12.0 = Mellifera 12). Version 3 will be called Cerana.

Mellifera 12 – June 29, 2017 (planned date)

Mellifera 12 (v 2.12) will succeed to Mellifera 2 (the current version) to comply with the new naming scheme. It will allow you to see how similar new alerts are to existing cases so you can decide whether you import them into an existing case, create a new one or ignore them altogether. Mellifera 12 will show you the status of all the related cases (#229) to the one you are working on. Finally, you’ll have the ability to change the default case template before importing an alert.

M12 will also support custom fields (#12), a feature that has been requested by numerous users. This version will also add mini-reports to the Observables tab. That way, once a Cortex analysis has been completed, analysts will be able to view part or all the resulting short report in that tab instead of having to navigate to the page of each observable to read the short report.

Mellifera 13 – September 14, 2017

TheHive 2.13 should be the last Mellifera version. It will complete TheHive’s integration with MISP by adding the ability to export all observables or a subset of them to a MISP instance. Please note that TheHive allowed you from the start to import events from multiple MISP instances but since sharing is caring, we wanted to add the ability to export to this very popular threat sharing platform from your Security Incident Response Platform (SIRP). We do not want to rush it though.

Cerana – October 12, 2017

Cerana or TheHive 3.0.0 will bring a complete UI overhaul to make it even easier to work on cases, perform analysis and get your job done, after the interface refreshments Mellifera brought. It will lay the ground for some nifty features we have in mind.

Cerana 1 – November 15, 2017

TheHive 3.1.0 will include dynamic dashboards: the ability to work with the statistics and metrics the way you want and generate customized dashboards to help you drive your activities.

Keep an eye on TheHive’s milestones on GitHub. There are other features and enhancements that we might add as we progress and we will reflect them on that page.

Correction: June 12, 2017
An earlier version mentioned GitHub issue #36 as pertaining to custom fields while it is a request for globally-defined tags that an analyst can choose from.

 

 

 

Mellifera 2 Released: Make MISP Sync Great Again

The Chefs behind TheHive Project’s delicious code are happy to announce the availability of Mellifera 2 (TheHive v2.11.2),  the scalable, free and open source Security Incident Response Platform. This minor version fixes two irking issues related to MISP and adds a few enhancements detailed below.

Alerts_Panel.png
Mellifera – The New Alerting Panel

Fixed Issues

  • #220: alerts related to MISP events are not properly updated.
  • #221: in some edge cases, alerts related to MISP events are created with no attribute.

Enhancements

  • #188: display the case severity in the My tasks and the Waiting tasks pages to let analysts prioritize their work.
  • #218: show the description of an alert in the alerting panel.
  • #224: visually distinguish between analyzed and non-analyzed observables.

Download & Get Down to Work

If you have an existing TheHive installation, please follow the new migration guide.

If you are performing a fresh installation, read the installation guide corresponding to your needs and enjoy. Please note that you can install TheHive using an RPM or DEB package, deploy it using an Ansible script, use Docker, install it from a binary or build it from sources.

Support

Something does not work as expected? You have troubles installing or upgrading? No worries, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

Correction: May 26, 2017

A copy/paste error from a previous blog post was fixed.

Cortex 1.1.2 Released

We are glad to announce a new version of your favorite observable analysis engine which corrects bugs introduced by version 1.1.1 and adds a few enhancements. As a reminder, TheHive, our Security Incident Response Platform, can interact with one or several Cortex instances. Moreover, starting from version 1.1.1, Cortex has a two-way integration with MISP.

We highly advise you to upgrade your Cortex in to instance to 1.1.2.

Screen Shot 2017-05-24 at 11.51.54.png
Cortex 1.1.2 – Job Report Example with CERT-SG’s Abuse Finder

Fixed Issues

  • #27: fixed the daunting error 500 that many users of  TheHive encountered when a job is submitted to Cortex.
  • #29: the MISP expansion modules are now disabled by default to avoid another error 500.
  • #31: the web interface was displaying SNAPSHOT (oops!) for the Cortex version.  It now displays the correct version.

Enhancements

  • #28: when you enable the MISP expansion modules, Cortex will not be slowed down and starts without delay.
  • #30: add a page loader mask similar to TheHive’s.

Download & Get Down to Work

To update your current Cortex installation, follow the instructions of the installation guide. Before doing so, you may want to save the job reports that were not executed via TheHive. Cortex 1 has no persistence and restarting the service will wipe out any existing reports.

Please note that you can install Cortex using an RPM or DEB package, deploy it using an Ansible script, use Docker, install it from a binary or build it from sources.

Support

Something does not work as expected? You have troubles installing or upgrading? No worries, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

Cortex 1.1.1: Two Way MISP Integration Now a Reality

TheHive Project’s Chefs are thrilled to announce the immediate availability of Cortex 1.1.1.

Starting from this version, Cortex can be integrated in two ways with MISP as described below. We would like to thank Alexandre Dulaunoy for inviting us to the Open Source Security Software Hackathon which took place in Luxembourg during two days (May 2-3, 2017). Andras Iklody worked with us during the event in order to make this two way integration a reality. Merci !

Now in addition to TheHive, our Security Incident Response Platform which can connect to multiple MISP instances to receive new or updated events, let analysts preview then import them if they deem them worth investigating, Cortex can query MISP modules or be invoked from MISP to let an instance’s users leverage the power of its 21 analyzers. And in the near future, TheHive will also gain the ability to export observables to MISP.

Invoke MISP modules within Cortex

Besides its regular analyzers, Cortex 1.1.1  can analyze observables using MISP expansion modules.

Obviously, there are some overlap between Cortex native analyzers and MISP expansion modules. For example, you could query the CIRCL’s Passive DNS service using a native Cortex analyzer or a MISP expansion module. When there’s overlap, we highly recommend you rely on the Cortex analyzer. That way, we will be able to better help you in case you encounter issues or need help to make it work.

In order to invoke MISP expansion modules within Cortex, they need to be installed on the same host that Cortex runs on. Please read the MISP Integration guide.

Invoke Cortex Analyzers within MISP

Starting from version 2.4.73, a MISP instance can invoke Cortex analyzers. To do so, connect to the MISP Web UI with sufficient privileges, then go to Administration > Server settings > Plugin settings. Edit the Cortex section as follows:

  • set Plugin.Cortex_services_enable to true
  • set Plugin.Cortex_services_url  to http://ip_address (replace ip_address with the IP address of Cortex)
  • set Plugin.Plugin.Cortex_services_port to port (replace port with the port on which Cortex is listening: 9000 by default)

Once this operation is completed, the Cortex analyzer list should appear in MISP’s Cortex section. The analyzers must be enabled to make them available to the instance users.

Documentation

Please note that we have moved all the documentation of Cortex to a new repository.

Download & Get Down to Work

To update your current Cortex installation, follow the instructions of the installation guide. Before doing so, you may want to save the job reports that were not executed via TheHive. Cortex 1 has no persistence and restarting the service will wipe out any existing reports.

Please note that you can install Cortex using an RPM or DEB package, deploy it using an Ansible script, use Docker, install it from a binary or build it from sources.

Support

Something does not work as expected? You have troubles installing or upgrading? No worries, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

Correction: May 18, 2017
An earlier version of this post contained a few typos which were corrected.

Mellifera 1: Bugfixes, Enhancements and Documentation

Last week, we have released Mellifera (TheHive 2.11.0), a major version of your favorite (or soon to be favorite) Security Incident Response Platform. Sadly, some annoying bugs have slipped past our QA (n’est-ce pas Thomas ?).

We are happy to announce the availability of Mellifera 1 (TheHive 2.11.1) which corrects those bugs and adds a few enhancements detailed below.

Issues Corrected

  • #204: update case templates created with previous versions of TheHive.
  • #205: remove duplicate tags associated to an observable present in two cases upon a case merging operation.
  • #206: apply case templates when an alert is converted into a case.

Enhancements

We also took the opportunity of this hotfix to add the following enhancements:

  • #180: merge duplicate tasks during a case merge operation. Starting from this release, if you have waiting tasks (i.e. not assigned) with the same name in cases you’d like to merge, the new merged case will have only one task instead of two.
  • #211: show the number of available analyzer reports for each observable. If an observable has not been analyzed yet, say so.

Documentation

Please note that we have moved all the documentation of TheHive in a new repository. If you are not using TheHive4py 1.2.0 (or future versions), you can send alerts to Mellifera using the API as documented.

Download & Get Down to Work

If you have an existing TheHive installation, please follow the new migration guide.

If you are performing a fresh installation, read the installation guide corresponding to your needs and enjoy. Please note that you can install TheHive using an RPM or DEB package, deploy it using an Ansible script, use Docker, install it from a binary or build it from sources.

Support

Something does not work as expected? You have troubles installing or upgrading? No worries, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

Mellifera Is Here

TheHive Project French chefs are very excited to announce the immediate availability of Mellifera, TheHive 2.11.0, the greatest and latest iteration of our flagship product.

We are thrilled to share this major version with the incident response community, for free as usual. Yes, you read that sentence right. You don’t have to cough up a single € or BTC for a platform that is as good as some commercial alternatives, unless your boss is hassling you about paying big bucks to get so-called professional support. If that’s the case, try us and you might prove them wrong.

Going through all the features and fixes of this significant overhaul will take forever (well, almost) so let us highlight a few that we feel worthy of your attention and time.

The Alerting Framework

If you need one reason to upgrade from Buckfast to Mellifera or to ditch your existing, clunky incident handling platform and use ours, then that should be its brand-new and powerful alerting framework.

With Buckfast (TheHive 2.10.x) and earlier versions, you can configure multiple MISP instances. TheHive will then poll those instances at regular intervals and display new or updated events in a specific area where analysts can preview them, import them as cases using configurable templates or ignore them altogether (and if they do so by mistake, there’s no way to go back). And if you needed to raise alerts from a SIEM, email reports or other sources of noteworthy security events, you had to rely on TheHive4py API client and create a case without having a chance to preview the events in TheHive prior to the case creation.

Mellifera does not have these limitations. It features an all new, fancy and efficient alerting framework which can be displayed using the Alerts button in the Web interface. This button was previously called MISP.

Within the Alerts area, you can preview not only new or updated MISP events but also any event that you have pushed through TheHive4py. The client has been modified to be compatible with Mellifera. If you have an existing TheHive4py package, please upgrade to the new 1.2.0 version using PIP.

sc-thehive-alerting-filters.png
The New Alerting Panel

Using TheHive4py 1.2.0, you can send your SIEM alerts, user email reports and security events from various sources to Mellifera and your analysts will be able to preview and import them or simply ignore them. If they have ignored some events by mistake, they can use the quick actions on the top of the panel to retrieve them. Please note that you have to create programs that will bridge your event sources with Mellifera through TheHive4py.

sc-thehive-alerting-stats.png
Stats within the Alerting Panel

All New Skin

Mellifera has an all new skin with many refinements spread all over the interface. For example, you can now easily reorder the tasks within a case template. You can also sort task logs according to their creation date (oldest first, newest first). The flow (a.k.a live stream) is also collapsible. Moreover, when you create a case, Mellifera will suggest existing tags.

sc-thehive-main.png
Mellifera’s Brand New Skin

Is MISP or Cortex There?

If you have configured Mellifera to interact with at least one MISP or Cortex instance, the Web interface will show their respective logos at the bottom of the page. Please note that you can now connect to MISP and Cortex even if you are behind a proxy which requires authentication.

sc-thehive-mispenable.png

sc-thehive-cortexenable.png

New Installation Packages

Starting from this release, we no longer produce all-in-one binary packages and dockers containing TheHive and Cortex. Instead you can use dockers, binaries and RPM as well as DEB packages. Wink wink.

One More Thing

Mellifera has an all new logo and the project website has been completely redesigned. Now you can see who’s behind the project thanks to Alexandre Gohier, a close friend who also happens to be a professional photographer.

Download & Try

If you have an existing TheHive installation, please follow the new migration guide.

If you are performing a fresh installation, read the installation guide corresponding to your needs and enjoy!

Support

Something does not work as expected? You have troubles installing or upgrading? No worries, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

Buckfast 2 Release and Randorisec’s Pentest Report

Our good friends at Randorisec, joined by other pentesting professionals (see below), performed a fully fledged pentest of Buckfast 0 (TheHive 2.10.0) and Cortex 1.0.0 during 4 man-days spanning several weeks, starting from February 9, 2017 and ending on March 21, 2017.

randori_logo_original.png

They have identified several security issues detailed in their report which they privately shared with us prior to publication. As a result, we are happy to announce the immediate availability of Buckfast 2 (TheHive 2.10.2) which fixes the following vulnerabilities:

  • Stored XSS (ref. AP1 in the report) and Reflected XSS (AP2): malicious JavaScript code can be injected. It will be then executed on the victim’s browser. See issue #159 for more details.
  • Vertical privilege escalation (AP3): an authenticated simple user can have access to some admin menus. See issue #160 and issue #161.
  • CSRF (AP8): As no anti-CSRF tokens are used, TheHive is vulnerable to CSRF attacks. See issue #158.

Cortex 1.0.0 and 1.0.1 are also affected by AP2. A new Cortex version will be released very shortly to fix it.

Additionally, Buckfast 2 fixes the following bugs:

  • Issue #152: pagination does not work with 100 results per page.
  • Issue #169: error when importing some MISP events due to their unexpected JSON format. This has also been fixed in MISP v2.4.71.

We have also added the following features:

  • Issue #157: add persistence for task viewing options.
  • Issue #174: run all analyzers on multiple observables from the observables view.

Randorisec identified 4 more security issues rated low which aren’t fixed by this release:

  • Concurrent sessions allowed (AP4): we do not deem this a security vulnerability and hence we won’t fix it unless our user community request a patch.
  • No account lockout policy (AP5): if you use the local authentication system, it can be brute-forced. We are going to fix this in Mellifera 1 (TheHive 2.11.1) due at the end of May 2017. In the meantime, you can use LDAP, Active Directory or both and configure a password policy on those systems.
  • No password policy (AP6): as no password policy is enforced when using the local database for storing user credentials, users can set weak passwords (e.g.: containing only one character). We are going to fix this in Mellifera 1 (TheHive 2.11.1) due at the end of May 2017. In the meantime, you can use LDAP, Active Directory or both and configure a password policy on those systems.
  • Information leakage (AP7): information such as installed software versions (TheHive, ElasticSearch) is publicly available. TheHive should be not be publicly accessible and access should be filtered by a firewall or a similar device for authorized IP addresses only.

If you are running Buckfast 1 or a previous version, please follow the updating instructions to update to Buckfast 2. It is actually an extremely simple operation. If you are doing a fresh installation, we have you covered as well.

Should you encounter any difficulties, please do not hesitate to read the FAQ, ask questions on the user forum or on Gitter, or contact us directly at support@thehive-project.org.

Please note that Randorisec and the pentesting professionals that joined it for this pentest have no contract with TheHive Project and did not receive any compensation of any sort to perform this work. They worked on their free time as a way to contribute to the security of Free, Open Source Software projects. We’d like to wholeheartedly thank Davy Douhine, Randorisec’s CEO, ArtsSEC, Frédéric Cikala, Nicolas Mattiocco, Florent Montel and Mohamed Mrabah for their invaluable contribution.

Correction: April 21, 2017
An earlier version of this article mentioned Maximilano Soler among the professionals who joined Randorisec to perform a pentest on our products. At his request, we have removed his name and replaced it by ArtsSEC.